I can think of a few non practical prototypes (Moller Skycar which seems to be an investment scam, last flight was in 2003 and was a tethered hover) and a few light aircraft/gyrocopters with what is generously described as extended taxi capability.

But nothing that really fits the road to sky and back again paradigm, don't need a pilots license.

Chinese cyber spies have reportedly obtained top-secret information on major weapons systems in the US, including the F-35 Joint Strike Fighter.

I find that hard to believe, since anything TS would be on an air-gapped network like Joe Schmoe suggested on the previous page. More likely the classification of the material hasn't been disclosed, but journalists being journalists it's now "top secret info".

TS info isn't necessarily air-gapped. There are multilevel security architectures that allow the secure connection of (for example) Top Secret and Secret networks, with the ability to control and audit the flow of information between them. DOD in general is getting much better at cyber, pretty quickly, but they're still pretty balkanized, and you usually only need one entry point.

But I suspect the real vulnerability is contractors. The Lockheeds and Boeings of the military-industrial complex are notoriously sloppy when it comes to handling classified information. When the Chinese got the F-35 a few years back, they got it out of Lockheed, not the DOD.

TS info isn't necessarily air-gapped. There are multilevel security architectures that allow the secure connection of (for example) Top Secret and Secret networks, with the ability to control and audit the flow of information between them. DOD in general is getting much better at cyber, pretty quickly, but they're still pretty balkanized, and you usually only need one entry point.

But I suspect the real vulnerability is contractors. The Lockheeds and Boeings of the military-industrial complex are notoriously sloppy when it comes to handling classified information. When the Chinese got the F-35 a few years back, they got it out of Lockheed, not the DOD.

Doesn't help that the security mindset at one time was the "crunchy on the outside, juicy center" paradigm. It's moving to the "crunchy on the outside, and each piece on the inside is crunchy too", albeit slowly.

I think there is a classified payload in there as well somewhere. IIRC MUOS is the heaviest satellite they've put up, needing an Atlas V. I was in FL for work last week and could have stepped out onto the beach to watch WGS5 go up but the scrub on Thursday meant I'd be on a plane home when they tried Friday.

A GPS II-F (#4 I think) went up not long ago as well. I recall seeing ULA has successfully executed something like 71 launches in 77 months. Not bad.

Edit: GPS IIF-4 up 15 May. According to wikipedia NRO payload up in August 20 days after WGS 6.

TS info isn't necessarily air-gapped. There are multilevel security architectures that allow the secure connection of (for example) Top Secret and Secret networks, with the ability to control and audit the flow of information between them. DOD in general is getting much better at cyber, pretty quickly, but they're still pretty balkanized, and you usually only need one entry point.

But I suspect the real vulnerability is contractors. The Lockheeds and Boeings of the military-industrial complex are notoriously sloppy when it comes to handling classified information. When the Chinese got the F-35 a few years back, they got it out of Lockheed, not the DOD.

Compromising TS would be significantly more difficult than compromising S, but the Chinese have compromised S with astonishing regularity so I wouldn't be surprised if they had access to a limited amount of TS information as well

DoD has excellent policy for cyber security, but the auditing and enforcement of that policy is crap. I've participated in several security evaluations which had extremely negative results, and all that happens is the evaluating agency says "Well, try and get better at this." DoD has really smart people creating really solid policies, but the overall skill/knowledge level of the organizations performing day to day operations is low enough that a lot of the policies are either not understood or not implemented.

Most of that policy goes out the window when you throw contractors into the mix. With a few exceptions, the contractors I've met in the cyber field are malicious by way of incompetence.

Take a look at the AR21 - pretty basic project. Take a DC9 fuselage that you were already building under license. Add modern off the shelf engines and avionics. It's like 8+ years behind schedule. Planned entry into service in 2005, but is still not certified.

They're not 'flying cars' by any stretch of the imagination, because they still need a runway to take off and have the same maintenance requirements as any other light aircraft.

The issue with maintenance is the same as the issue with pilots, planes don't have higher maintenance requirements solely because they break down more, but because a mechanical failure means plummeting to the ground instead of rolling to a stop. That's not something that can really be changed or fixed. More sensors and better self-monitoring can help manage it and make it more friendly, but the physics of flight mean wear and tear is always going to be much greater than it is for a ground car.

Quote:

That said, I also imagine they do not enjoy as robust a pool of knowledge, specifically, highly-experienced/trained engineering groups capable of top-tier technology development/manufacture.

Exactly. If just having the plans was enough, we wouldn't have nearly as many debacles in this thread as we do. Making stuff is hard.

DoD has excellent policy for cyber security, but the auditing and enforcement of that policy is crap. I've participated in several security evaluations which had extremely negative results, and all that happens is the evaluating agency says "Well, try and get better at this." DoD has really smart people creating really solid policies, but the overall skill/knowledge level of the organizations performing day to day operations is low enough that a lot of the policies are either not understood or not implemented.

The big problem with the DoD itself is that every department, division, and squad has its own IT organization, doing things its own way. That's why security on SIPR (and, by extension, anything at the Secret level) is a joke--any US .mil can hook up to it with just an ASA in between. There is a big push within the DOD to centralize all IT in large, hypersecure SCIFs and insist on encrypted remote access for day to day operations. We'll see if it goes anywhere.

The second biggest problem with the DoD is that the excellent cybersecurity policies take decades to develop. The standard for network security is still to use 2003-vintage Type 1 encryptors, which last I heard were out of production, but there is no replacement policy in place to allow VPNs or anything.

Quote:

Most of that policy goes out the window when you throw contractors into the mix. With a few exceptions, the contractors I've met in the cyber field are malicious by way of incompetence.

Contractors (and their employers) are beholden to no one for enforcing security, so of course they're going to ignore it.

Contractors (and their employers) are beholden to no one for enforcing security, so of course they're going to ignore it.

Isn't DSS in charge of enforcing security among military contractors?

I think DISA is more in charge of the IT stuff while DSS handles more general security issues--physical security, clearances, that sort of thing. I could be wrong though. My impression is that DISA enforces things at the front end, checking architectures and policies prior to deployment, as opposed to doing a lot of audits and compliance checks after the system goes in. I know some DoD folks live in mortal fear of DISA, but I'm not sure exactly what their scope is our what happens if someone were to actually fail some sort of audit.

The big problem with the DoD itself is that every department, division, and squad has its own IT organization, doing things its own way.

CYBERCOM is supposed to fix it but it's still getting spun up and some of the services (*cough* airforce *cough*) are still in a state of mind where cyber is a new battlefield that needs to be "claimed" by one of the services. Another big problem is competency levels- in my experience the average technician's knowledge level in the AF or Navy is mediocre. In the Army it drops down to low (with the exception of most chiefs, who are pretty sharp), and the Marines are almost embarassingly inexperienced.

Quote:

Contractors (and their employers) are beholden to no one for enforcing security, so of course they're going to ignore it.

Well, the Pentagon did try to introduce a measure that would force defense contractors to undergo cyber security audits, but Congress (after a few alarmed phone calls from said corporations) killed it.

CYBERCOM is supposed to fix it but it's still getting spun up and some of the services (*cough* airforce *cough*) are still in a state of mind where cyber is a new battlefield that needs to be "claimed" by one of the services. Another big problem is competency levels- in my experience the average technician's knowledge level in the AF or Navy is mediocre. In the Army it drops down to low (with the exception of most chiefs, who are pretty sharp), and the Marines are almost embarassingly inexperienced.

Ironically, around here it's the Marines who show the most aptitude. They're the ones driving the cyber component of the large exercises, so they have a pretty good handle on both offensive and defensive operations. It's hard for me to wrap my head around--typically Marines are known only for breaking things, often involuntarily.

Quote:

Well, the Pentagon did try to introduce a measure that would force defense contractors to undergo cyber security audits, but Congress (after a few alarmed phone calls from said corporations) killed it.

Marine enlistment testing standards are (according to my recruiter buddies) second only to the Air Force.

Standard practice for decades has been to send low ASVAB scorers "down the hall" to the Army and Navy. It was a standing joke when I enlisted then as my peers scored recruiter duty they confirmed it. No sense wasting someone willing to serve.

Quote:

-typically Marines are known only for breaking things, often involuntarily.

Those guys/gals work out and put their strength to use. Our Snap-on tools government rep was amazed at the volume of tools turned in by Marine units under the lifetime warranty program. Not little shit, but 3/4" drive and up.

Those guys/gals work out and put their strength to use. Our Snap-on tools government rep was amazed at the volume of tools turned in by Marine units under the lifetime warranty program. Not little shit, but 3/4" drive and up.

"Give me a cheater bar long enough and a wrench on which to place it, and I shall shear the world"

Those guys/gals work out and put their strength to use. Our Snap-on tools government rep was amazed at the volume of tools turned in by Marine units under the lifetime warranty program. Not little shit, but 3/4" drive and up.

"Give me a cheater bar long enough and a wrench on which to place it, and I shall shear the world"

I dunno, DOD IT is unusually byzantine and politicized. I seriously wonder if they're not better off with the current every-man-for-himself IT model, despite the security problems.

Some probably are, but a lot are probably absolutely terrible. It's a lot easier to put a whole lot of eyes and effort on securing a centralized system than it is on securing many numerous one-off systems. The key is putting the competent people in charge, which is of course a crap shoot.

Yeah...here's probably the best example of why DoD policy is so terrible from my personal experience:

Microsoft releases a patch for Windows 7. The DoD/CYBERCOM have to examine, test, and approve the patch before the services can apply their bureaucracy. Then the US Army has to use the process before releasing to lower. Then the National Guard Bureau has to apply the process. Then the state headquarters has to apply the process. After all that...then my unit's IT section finally gets to apply the process and approve the patch for use.

Military IT's quite thorough. The problem isn't so much the IT personnel, it's the massive military bureaucracy as forced on IT issues.

Those guys/gals work out and put their strength to use. Our Snap-on tools government rep was amazed at the volume of tools turned in by Marine units under the lifetime warranty program. Not little shit, but 3/4" drive and up.

"Give me a cheater bar long enough and a wrench on which to place it, and I shall shear the world"

That so many reverse-engineer patches to generate exploit code witnesses the sorrowful ubiquity of such bureaucracy, not just in military or government. Take an action that isn't authorised, like applying vendor patches, and something goes wrong it's your fault. Take no action and systems get compromised, no one is at fault and you request more money to set up a bureaucracy to prevent future compromises.

A big part of the problem is expecting that if systems aren't purposely changed that they will continue working the same indefinitely (explicitly ignoring outside factors and implicitly ignoring other risks), but that's a problem with most information technology still.

Sometimes. DoD can push an immediate action that bypasses the bureaucracy for 0-days, but some lag time exists. Patches aren't nearly as terrible as full program versions. My state was stuck on IE6 until 2009. We're just now getting a lot of systems updated to Windows 7. Updating plain computers is easy enough, but updating computers that are purpose-built with unique software is massively delayed to prevent the upgrade possibly breaking the functionality of the unique software.

You're mission critical software runs on top of windows 7 machines connected to the internet?

The majority of the purpose-built systems don't run on the Internet, but some do or at least can. In general, most of the software we have today was designed to run in XP originally. Most of the military did its best to skip Vista so now we have the mad dash to show up late to the Windows 7 game.

You're mission critical software runs on top of windows 7 machines connected to the internet?

A rather large percentage of software is mission-critical, if we define mission-critical as meaning the functionality supplied is required for the continuing viability of the enterprise. The idea of segregating mission-critical computers on isolated segments is another 1990s practise that persists -- not that it was the solution then. Even if you have processes that supply patches and time-sync and other services to the isolated segments, there are always reasons those machines end up connected for some reason, so it's best not to indulge in the fantasy that isolated segments will freeze working processes in place. That fantasy is why some SCADA systems justify primitive and easily-bypassed security systems, for instance.

WASHINGTON — A Republican-controlled House panel on Wednesday evening voted to give the Pentagon the green light to erect a missile defense system on the East Coast of the United States, moving the controversial site one step closer to becoming reality.

The site is the product of a plan hatched last year by House Armed Services Committee Republicans, who believe the system is needed to guard against potential missile launches from Iran and North Korea.

The amendment does not approve a specific funding level for the project, but it does order the Missile Defense Agency to deliver Congress a report that includes “a description of the current estimate of the funding to be required for construction and deployment of the missile defense site, including for advance procurement, engineering and design, materials and construction, interceptor missiles, and sensors.”

Why bother reinventing the wheel?

The U.S. co-develops the Arrow 2 and Arrow 3 ballistic missile defense systems, which are a perfect fit for exactly this mission.

WASHINGTON — A Republican-controlled House panel on Wednesday evening voted to give the Pentagon the green light to erect a missile defense system on the East Coast of the United States, moving the controversial site one step closer to becoming reality.

The site is the product of a plan hatched last year by House Armed Services Committee Republicans, who believe the system is needed to guard against potential missile launches from Iran and North Korea.

The amendment does not approve a specific funding level for the project, but it does order the Missile Defense Agency to deliver Congress a report that includes “a description of the current estimate of the funding to be required for construction and deployment of the missile defense site, including for advance procurement, engineering and design, materials and construction, interceptor missiles, and sensors.”

Why bother reinventing the wheel?

The U.S. co-develops the Arrow 2 and Arrow 3 ballistic missile defense systems, which are a perfect fit for exactly this mission.